Cert-based authentication 'on life support at UK.gov

Single sign-on via certificates is "on life support" at the UK Government Gateway, and there now seems a strong possibility that the Gateway will pull out the plug, and start banging heads together. Speaking to The Register earlier today Alan Mather, the UK e-Envoy's CEO of e-delivery, said that uptake of certificates wasn't anything like his team had expected, and suggested that the achievement of simple, universally available authentication processes might be a matter for government rather than industry.

The Gateway's experience of certificates seems to reflect that of industry as a whole. Most people don't bother with them, and they've singularly failed to set the world on fire. Granted, with the UK Gateway the certificates you can use only support IE and Netscape, but even if the dearth of certificates on other platforms were instantly, miraculously fixed, it wouldn't make a significant difference. Mather points out that uptake of certificates against userid/password is in the ratio 1:6 for businesses using the Gateway, and as the vast majority of visiting browsers are IE and Netscape, this simply reflects general lack of enthusiasm, rather than any Microsoft plot (he's very sensitive about this).

"It's just not a support thing," he says, and squeezing more platforms out of the current cert providers wouldn't make any difference.

"They have this year to prove themselves - but if, say, Customs decided that they weren't worth the effort then that would be that," he says. The Gateway currently uses certificates for Customs & Excise (sales tax) and PAYE (income tax). DEFRA, the department of agriculture, intends to join in with certification for the farming community, but given that certs haven't proved themselves so far (au contraire...) it takes a pretty vivid imagination to see how they might do so even by the middle of next year, never mind the end of this.

So, The Register speculated at Mather, the life support is likely to be shut off Real Soon Now. What then? "We need to pull the strands together, because commercial interests are not going to do it. Government must lead on this, and decide with the technology providers, not the certificate authorities, what's going to happen."

A simple, universally available authentication process remains essential for getting government services online, but if you look at it in that light then there's a logic to government defining the systems and spending the money necessary to make it happen.

But how? Mather says he's reluctant to spend taxpayers' money on more certificates. The Gateway staff could extend the number of platforms by simply writing the code themselves, but without certificates then miraculously becoming popular, that would be a waste of money.

Mobile phones however do present some possibilities, as they have the advantage of portability and device independence. So in principle, you could enter your ID online then have it authenticated via a code sent to your mobile phone.

But there are complications. Some 70 per cent of mobile phones in the UK are pay as you go, and therefore not specifically tied to an individual. The level of security that phones can likely achieve at the moment is equivalent to a level 1 certificate, i.e. anonymous, whereas for personal government transactions you'd want it to be tied to a tax identifier or national insurance number. And although mobile phones with certificate support are starting to ship, Nokia is in Mather's view complicating the issue by tying the certificates to the handset, rather than the SIM.

SIMs can move around from handset to handset, and the handset therefore isn't necessarily ID. So you really want it on the SIM, and if you want it universal, then you've got to get the providers to update all of their SIMs. That, he reckons, would cost around £10 per handset, which somebody would have to pay for.

It might also be possible - not that Mather himself suggested this - to simply use the weight of government to make certificates work. Maybe set up your own certificate authority, commission your own coding, commission some form of runtime browser which can be issued as a fallback for citizens wishing to transact with government, and then give everybody in the UK (or indeed Europe) a free certificate and the ability to use it on demand. Which The Register humbly suggests would concentrate the minds of the warring camps in the IT industry wonderfully. ®